islington ict security policy framework 2014

9
7/21/2019 Islington ICT Security Policy Framework 2014 http://slidepdf.com/reader/full/islington-ict-security-policy-framework-2014 1/9 Islington ICT Security Policy Framework  A council-wide information technology policy framework Version 0.9 June 2014

Upload: harumhr2000

Post on 09-Mar-2016

213 views

Category:

Documents


0 download

DESCRIPTION

Islington ICT Security Policy Framework 201

TRANSCRIPT

Page 1: Islington ICT Security Policy Framework 2014

7/21/2019 Islington ICT Security Policy Framework 2014

http://slidepdf.com/reader/full/islington-ict-security-policy-framework-2014 1/9

Islington ICT Security Policy Framework A council -wide informat ion technology policy framework

Version 0.9June 2014

Page 2: Islington ICT Security Policy Framework 2014

7/21/2019 Islington ICT Security Policy Framework 2014

http://slidepdf.com/reader/full/islington-ict-security-policy-framework-2014 2/9

Islington ICT Security Policy Framework

Page 2 of 9 A council-wide Technology Policy FrameworkVersion 0.9 / June 2014

Copyright NotificationCopyright © London Borough of Islington 2014This document is distributed under the Creative Commons Attribution 2.5 license. This means you arefree to copy, use and modify all or part of its contents for any purpose as long as you give clear creditfor the original creators of the content so used. For more information please see:http://creativecommons.org/licenses/by/2.5/

ContactsIf you need any further information about this document or any clarity about the contents of thedocument, please contact:

Revision History

Date Version Reason for change Author  

0.7 First draft Jeremy Tuck26.1.2012 0.7.1 Annual Review Sinead Mulready andJeremy Tuck

 Aug 2012 0.7.2 Reviewed and updated Sinead Mulready

July 2013 0.8 Reviewed and updated Sinead Mulready

June 2014 0.9 Reviewed and updated Sinead Mulready

Page 3: Islington ICT Security Policy Framework 2014

7/21/2019 Islington ICT Security Policy Framework 2014

http://slidepdf.com/reader/full/islington-ict-security-policy-framework-2014 3/9

Islington ICT Security Policy Framework

Page 3 of 9 A council-wide Technology Policy FrameworkVersion 0.9 / June 2014

TABLE OF CONTENTS

1 PURPOSE OF THIS DOCUMENT..................................................................................................4

2 BACKGROUND..............................................................................................................................4

3 THE POLICY FRAMEWORK..........................................................................................................4

3.1 OVERARCHING STATEMENT OF COMMITMENT...............................................................................43.2 WHO DO THESE POLICIES APPLY TO? ..........................................................................................43.3 POLICY STANDARDS ..................................................................................................................5

4 THE ICT SECURITY POLICIES......................................................................................................6

5 STAFF TRAINING AND AWARENESS..........................................................................................6

6 DEFINING INFORMATION SECURITY..........................................................................................6

7 ANNUAL IT INFRASTRUCTURE HEALTH CHECK ......................................................................7

8 CHANGES TO ICT POLICIES........................................................................................................7

8.1 ANNUAL REVIEW, APPROVAL, AND ADOPTION ...............................................................................78.2 AD HOC CHANGE PROCEDURE ....................................................................................................8

9 POLICY COMPLIANCE..................................................................................................................8

10 GOVERNANCE, APPROVAL AND REVIEW..............................................................................9

10.1 CORPORATE GOVERNANCE GROUP ............................................................................................910.2 FORMAL APPROVAL, ADOPTION AND REVIEW................................................................................9

Page 4: Islington ICT Security Policy Framework 2014

7/21/2019 Islington ICT Security Policy Framework 2014

http://slidepdf.com/reader/full/islington-ict-security-policy-framework-2014 4/9

Islington ICT Security Policy Framework

Page 4 of 9 A council-wide Technology Policy FrameworkVersion 0.9 / June 2014

1 PURPOSE OF THIS DOCUMENT

This document sets out the overarching policy framework for Islington Council’s data securityarrangements and describes the governance arrangements in place to make sure they are fit for

purpose and regularly reviewed. It also sets out the overarching security policy statements to which thecouncil will adhere.

2 BACKGROUND

Technology is an intrinsic part of our daily working environment and has changed the way we interactand retain important information. This makes security management vital for public confidence and forthe efficient conduct of public business. In order to maintain the highest standards of informationsecurity, the council has developed a number of policies to protect information technology assets, suchas computer hardware and software, telecommunications equipment and data held within the council’sIT systems. The objectives of these policies are:

a) To achieve a council-wide security minimum standard.b) To make the public and all users of the council's information systems confident of the

confidentiality, integrity and availability of the information used and produced.c) To minimise business damage and interruption caused by security incidents.d) To meet all legislative and regulatory requirements.e) To ensure the council's ICT equipment and facilities are used responsibly, securely and with

integrity at all times.f) To comply with the requirements set by central government when connecting to the Public

Services Network (PSN).

3 THE POLICY FRAMEWORK

3.1 Overarching statement of commitment

The council is committed to preserving the confidentiality, integrity and availability of all the physicaland electronic information assets throughout Islington Council. Information and information securityrequirements will continue to be aligned with the council’s goals and the framework of security policiesis intended to be an enabling mechanism for information sharing, electronic operations, and reducinginformation-related risks to acceptable levels. In particular, business continuity and contingency plans,data back-up procedures, avoidance of viruses and hackers, access control to systems and informationsecurity incident reporting are fundamental to this framework.

3.2 Who do these policies apply to?

Policies serve no purpose on their own and it is important for everyone to play their part and to makesecurity their personal responsibility. The policies also cover the data that is held by the council in anyform, electronic or otherwise. All electronic, manual or other data processed by or on behalf of thecouncil is within the scope of the security statements made in this document and the related policies.This policy framework, therefore, applies to all Councillors, Committees, Departments, Partners,Employees of the council, contractual third parties and agents of the council who use Islington Councilfacilities and equipment, or have access to, or custody of, customer information or Islington Councilinformation. In addition, the policies apply to every user of the council’s IT systems and to all computerand network systems that are owned, run by or attached to council facilities.

The security of council data is the responsibility of every individual working for the council, and all staffneed to protect data at all times.

Line managers are responsible for the day-to-day management of their staff to ensure that this policy is

Page 5: Islington ICT Security Policy Framework 2014

7/21/2019 Islington ICT Security Policy Framework 2014

http://slidepdf.com/reader/full/islington-ict-security-policy-framework-2014 5/9

Islington ICT Security Policy Framework

Page 5 of 9 A council-wide Technology Policy FrameworkVersion 0.9 / June 2014

being implemented properly.

3.3 Policy Standards

The policies have been developed to be consistent with industry security standards and there have

been several sources and influences:

3.3.1 ISO 27001

ISO 27001 is an auditable international standard which defines the requirements for the managementof Information Security. The standard is designed to ensure the selection of adequate andproportionate security controls. The focus on ISO 27001 as a basis for the policy development was tomove towards a standard that could be externally measured. The council acknowledges that ISO27001prefers to separate policy from procedure. However, for the sake of keeping each policy item ‘holistic’,the council will keep procedures and templates with each policy as far as possible. As the councilbecomes more mature in terms of policy management this can be reviewed. This means that each timea procedure is changed, the policy will need to be updated, but the council will accept this and include itin the policy review procedure.

3.3.2 Connection to the Government Connect Secure Extranet

The Government Connect Secure Extranet (GCSx) is the secure private Wide-Area Network (WAN)which enables secure interactions between connected Local Authorities and other governmentorganisations. In order to meet the standards for connecting to the GCSx, the council must comply witha Code of Connection that defines the minimum standards and processes that an authority mustcomply with before being able to connect to GCSx.

3.3.3 HMG Secure Policy Framework

 As an important reference point, the HMG Security Policy Framework contains the primary internalprotective security policy and guidance on security and risk management for HM GovernmentDepartments and associated bodies. It is the source on which all localised security policies should be

based. The framework also provides technical information, advice and guidance to supportimplementation of the policy requirements.

3.3.4 Data Handling Procedures in Government

This was produced by central government and strikes the balance between the need for regular

information sharing while retaining public trust in the personal data that is held by authorities.

Page 6: Islington ICT Security Policy Framework 2014

7/21/2019 Islington ICT Security Policy Framework 2014

http://slidepdf.com/reader/full/islington-ict-security-policy-framework-2014 6/9

Islington ICT Security Policy Framework

Page 6 of 9 A council-wide Technology Policy FrameworkVersion 0.9 / June 2014

4 THE ICT SECURITY POLICIES

The policies are based on industry good practice and replace all previous council ICT policies.

For users inside the council’s premises, the policies are:

a) User Management policyb) Security Incident Policyc) Email Policyd) Physical Security of Information Policye) Internet Acceptable Use policyf) Information Risk Policyg) Data Transport Policy

For users outside the council’s premises, the policies are:h) Remote Working Policyi) Removable Media Policy

 j) Third Party Access policy

In addition, the council has two further policies which address information management:k) Access to Information Policyl) Data Protection Policy

5 STAFF TRAINING AND AWARENESS

The council delivers modular training to all council staff who have access to the council’s data andnetwork. These training modules inform staff of the requirements of the ICT Security Policies. Allcouncil staff must engage with this training and complete all mandatory modules. Line managers havea responsibility to support this training, and must raise with Digital Services if any staff member doesnot or cannot complete the training.

6 DEFINING INFORMATION SECURITY

In this framework, information security is defined as ‘preserving the availability, confidentiality andintegrity of the physical and information assets of the organisation’, where:

preservingmeans that management, all full time or part time staff including agency and temporary workers,, sub-contractors, project consultants and any external parties have, and will be made aware of, theirresponsibilities to preserve information security, to report security breaches and to act in accordance

with the requirements of the ICT security policies. The consequences of security policy violations aredescribed in the council’s disciplinary policy. All staff will receive information security awarenesstraining and more specialised staff will receive appropriately specialised information security training,

the availabilit y,means that information and associated assets will be accessible to authorised users when required andtherefore physically secure. The computer network will be resilient and the council will be able torespond rapidly to incidents (such as viruses and other malware) that threaten the continued availabilityof assets, systems and information. There will be appropriate business continuity plans,

confidentiality

Page 7: Islington ICT Security Policy Framework 2014

7/21/2019 Islington ICT Security Policy Framework 2014

http://slidepdf.com/reader/full/islington-ict-security-policy-framework-2014 7/9

Islington ICT Security Policy Framework

Page 7 of 9 A council-wide Technology Policy FrameworkVersion 0.9 / June 2014

means information will only be accessible to those authorised to access it and measures will be inplace to prevent deliberate and accidental unauthorised access to the council’s information and itssystems,

and integritymeans safeguarding the accuracy and completeness of information and processing methods andpreventing deliberate or accidental, partial or complete, destruction, or unauthorized modification, ofeither physical assets or electronic data,

of the physical (assets)means the physical assets of the council, including but not limited to, computer hardware, data cabling,telephone systems, filing systems and physical data files,

and information assetsmeans the information assets, which includes information printed or written on paper, transmitted bypost or shown in films, communicated by instant messenger or social media, as well as informationstored electronically on servers, web site(s), extranet(s), intranet(s), PCs, laptops, mobile phones and

PDAs as well as on CD ROMs, floppy disks, USB sticks, back-up tapes and any other digital ormagnetic media, and information transmitted electronically by any means. In this context “data” alsoincludes the sets of instructions that tell the system(s) how to manipulate information (i.e. the software:operating systems, applications, utilities, etc),

of the councilmeans the council and any partners that have signed up to our security policy and have accepted thisframework.

7 ANNUAL IT INFRASTRUCTURE HEALTH CHECK

 An annual health check of all Council IT infrastructure systems and facilities will be undertaken every12 months. This health check must include, but is not restricted to, the following:

 A full penetration test.

 A network summary that will identify all IP addressable devices.

Network analysis, including exploitable switches and gateways.

Vulnerability analysis, including patch levels, poor passwords and services used.

Exploitation analysis.

 A summary report with recommendations for improvement.

8 CHANGES TO ICT POLICIES

8.1 Annual review, approval, and adoption

This policy has been formally authorised by the Corporate Management Board. Any new policy to beadded to the ICT Policy Framework must be approved by the Corporate Management Board. The DataSecurity Manager will lead an annual review of all ICT Security Policies.

Page 8: Islington ICT Security Policy Framework 2014

7/21/2019 Islington ICT Security Policy Framework 2014

http://slidepdf.com/reader/full/islington-ict-security-policy-framework-2014 8/9

Islington ICT Security Policy Framework

Page 8 of 9 A council-wide Technology Policy FrameworkVersion 0.9 / June 2014

8.2 Ad hoc change procedure

8.2.1 Requirements for policy changes may be raised by any member of staff 

 Any member of staff identifying a need to change any policy within Islington’s ICT Security PolicyFramework must log a work request in ICT Help Me (when outside the network www.TSGhelpme.comor inside the network http://esplivev01/sw/selfservice/portal.php.)

8.2.2 Policy changes will be made by the ICT Performance and Assurance Team

 All proposed changes will be reviewed by the Data Security Manager and will be made by the ICTPerformance and Assurance Team

8.2.3 Policy changes will be reviewed by the Data Security Working Group

The Data Security Manager will distribute revised policies to the Data Security Working Group forconsultation.

8.2.4 Minor changes will be approved by the Corporate Governance Group

In the case of minor changes, the Corporate Governance Group will be notified and asked to reviewand approve the revised policy. Minor changes include:

a) Changes in job titles

b) Changes in team structures

c) Changes to board names where Terms of Reference remain unchanged

d) Updates to ensure current work practices are accurately described.

8.2.5 Significant changes will be approved by the Corporate Management Board

Where significant changes have been made to policies, the CGG will request CMB to approve andauthorise the revised policy. A significant change is defined as one which will affect the way councilstaff will work.

8.2.6 Revised policies will be version controlled and made available on the public website

The current version of each policy will be available on the council’s website.

8.2.7 The council will maintain an archive of old policy versions

Old policy versions will be archived by the ICT Performance and Assurance Team appropriately.

9 POLICY COMPLIANCE

 All employees are expected to serve the council and implement its policies to the highest standards, asdescribed in the Code of Conduct. If any user is found to have breached this policy, they may besubject to the council’s disciplinary procedure. If a criminal offence is considered to have beencommitted further action may be taken to assist in the prosecution of the offender(s). If you do notunderstand the implications of this policy or how it may apply to you, please seek advice from DigitalServices.

Page 9: Islington ICT Security Policy Framework 2014

7/21/2019 Islington ICT Security Policy Framework 2014

http://slidepdf.com/reader/full/islington-ict-security-policy-framework-2014 9/9

Islington ICT Security Policy Framework

Page 9 of 9 A council-wide Technology Policy FrameworkVersion 0.9 / June 2014

10 GOVERNANCE, APPROVAL AND REVIEW

10.1 Corporate Governance Group

This policy framework and the commitment to security management is subject to continuous,systematic review and improvement. This council-wide technology policy will be governed by the

Corporate Governance Group (CGG), chaired by the Director of Finance, who is also the council’sSenior Information Risk Owner. The CGG has a clear terms of reference and reports directly into theCorporate Management Board.

10.2 Formal approval, adoption and review

This policy will be formally signed off by the Corporate Management Board. The Data Security Managerwill lead an annual review of all ICT Security Policies.